b'                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                         September 17, 2012\n\n\nMEMORANDUM TO:             R. William Borchardt\n                           Executive Director for Operations\n\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   MEMORANDUM REPORT: AUDIT OF NRC\xe2\x80\x99S CONTRACT\n                           ADMINISTRATION OF THE EPM CONTRACT\n                           (OIG-12-A-18)\n\nThe Office of the Inspector General (OIG) conducted an audit of the Nuclear Regulatory\nCommission\xe2\x80\x99s (NRC) contract administration of the Enterprise Project Management\n(EPM) contract. The audit objective was to evaluate NRC\xe2\x80\x99s contract administration for\ntechnology initiatives using EPM applications under Contract # NRC-DR-33-10-303.\nOIG determined that there is a lack of effective internal controls governing administration\nof the contract, specifically over the invoice review process. As a result, OIG identified\nthe need to update current agency guidance as well as to certify the accuracy of invoices\nreceived from and payments made to the contract from the inception through the\ncloseout.\n\nPlease provide information on actions taken or planned on each of the recommendations\nwithin 30 days of the date of this report. Actions taken or planned are subject to OIG\nfollowup as stated in MD 6.1.\n\nBACKGROUND\n\nIn November 2009, NRC entered into Contract # NRC-DR-33-10-303 to \xe2\x80\x9cexecute its\nvision for implementing Microsoft technologies throughout the enterprise in a timely,\n\x0c                                                  Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\nefficient and secure manner.\xe2\x80\x9d NRC stated in the contract\xe2\x80\x99s statement of work that it\ncurrently employs a variety of Microsoft technologies, including EPM tools.1 NRC noted\nthat these EPM applications were integral to its business operations and justified the\nneed to obtain Microsoft consulting services to support product updates and upgrades as\nthe agency integrates all of the existing Microsoft technologies into its current operating\nenvironment.\n\nThese EPM technologies cited by NRC in the contract are part of a Microsoft product\nsuite that helps organizations by providing tools for scheduling, tracking, and updating\nprojects. These applications are intended to help optimize resources, minimize costs,\nfacilitate collaboration, manage project scope, and deliver projects on time. Essentially,\nMicrosoft claims its EPM tools are designed to assist organizations in managing inter-\nrelated projects to ensure that constituents, contractors, and stakeholders receive clear\nand accurate progress reports on a regular basis.\n\nThe contract has an estimated ceiling of approximately $34 million and is an Indefinite\nDelivery, Indefinite Quantity (IDIQ) contract with provisions for firm fixed price and labor\nhour task orders.2 The contract was awarded on November 4, 2009, for 1 year with 4\noption year periods of performance. As of July 9, 2012, NRC had spent $7,521,789.93.\nThe contract was implemented as an umbrella contract (frequently referred to as a\n\xe2\x80\x9cblanket contract\xe2\x80\x9d), which provides the opportunity for multiple offices to obtain a variety\nof services related to implementing Microsoft EPM technologies over the contract\xe2\x80\x99s\ndesignated period of performance. For example, the Office of Nuclear Reactor\nRegulation, the Office of New Reactors, and the Office of Information Services use the\nMicrosoft EPM applications, including Microsoft Project Server, Microsoft Project\nProfessional, and SharePoint to electronically support various agency programs, such as\nlicensing programs and maintenance of existing systems.\n\nEffective implementation of the contract requires a significant level of coordination\namong participating offices. For example, the Office of Administration and the Office of\nInformation Services share responsibility for overseeing the contract\xe2\x80\x99s implementation.\nSpecifically, the Office of Administration is responsible for facilitating the contract award\nand closeout process and negotiating contract terms. These activities are managed by a\ncontract specialist. The Office of Information Services is tasked with routine contract\n\n\n1\n  EPM tools include applications such as Microsoft Project Server 2007, Microsoft SharePoint 2007, and\nMicrosoft SQL Server 2005.\n2\n  An Indefinite Delivery, Indefinite Quantity contract provides for an indefinite quantity, within stated limits,\nof supplies or services to be furnished during a fixed period, with deliveries or performance to be\nscheduled by placing orders with the contractor (Federal Acquisition Regulation (FAR) 16.504).\n                                                        2\n\x0c                                                Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\noversight, including coordinating invoice reviews, monitoring funding, and initiating\ncontract modifications. These activities are managed by a Contracting Officer\xe2\x80\x99s\nRepresentative.3 Individual offices that use the contract have responsibility for assigning\na Task Order Manager to oversee the daily implementation of their respective task\norders.\n\n\nOBJECTIVE\n\nThe audit objective was to evaluate NRC\xe2\x80\x99s contract administration for technology\ninitiatives using EPM applications under Contract # NRC-DR-33-10-303.\n\n\nRESULTS\n\nNRC\xe2\x80\x99s administration of the contract demonstrates a notable lack of internal controls,\nspecifically over the invoice review process. Invoice irregularities have occurred\nbecause NRC has not provided staff with detailed guidance that sufficiently addresses\nthe specifics of reviewing and approving contract invoices, including those resulting from\nIDIQ contracts. Consequently, NRC lacks assurance that contract costs are being\nconsistently and appropriately evaluated to determine whether they are allowable,\nallocable, and reasonable. OIG reviewed 83 invoices totaling approximately $6.8 million\nand found several irregularities. Anomalies included costs that were outside the invoice\nbilling period, inconsistent labor categories and contractor and job roles, as well as\nstatus reports that did not match invoice billing periods. As a result, NRC is vulnerable to\npotential fraud, waste, and abuse.\n\nFederal and Industry Guidance Cites Need for Internal Controls\n\nFederal guidance stresses the significance of implementing effective internal controls.\nFor example, the Government Accountability Office publication, Standards for Internal\nControl in the Federal Government,4 stipulates that management is responsible for\nestablishing and maintaining internal controls to achieve the objectives of effective and\nefficient operations, reliable financial reporting, and compliance with applicable laws and\nregulations. It states that management and employees are responsible for establishing\n\n\n\n3\n  A Contracting Officer\xe2\x80\x99s Representative assists in the technical monitoring or administration of a contract\n(FAR Title 48, para 1.604).\n4\n  GAO/AIMD-00-21.3.1, issued November, 1999.\n                                                      3\n\x0c                                        Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\nand maintaining internal controls and creating an environment that sets a positive and\nsupportive attitude toward conscientious management and internal controls.\nThe Office of Management and Budget also stresses the importance of internal controls\nin OMB Circular A-123, Management\'s Responsibility for Internal Control. According to\nCircular A-123, internal controls help to ensure that desired results are achieved through\neffective stewardship of resources while safeguarding assets and preventing and\ndetecting errors and fraud. Implementing effective internal controls is especially\nimportant in the area of contract administration, where robust controls are needed to\nprovide reasonable assurance that contract funds are not being lost to improper\npayments, waste, and mismanagement.\n\nPrivate industry also recognizes the importance of internal controls and staff\xe2\x80\x99s consistent\nunderstanding of them. For example, in its June 2012 report, Evaluating and Improving\nInternal Control in Organizations, the International Federation of Accountants noted,\n\xe2\x80\x9cinternal controls can only work effectively when they, together with the risks they are\nsupposed to modify, are clearly understood by those involved.\xe2\x80\x9d\n\nInvoice Review Process Lacks Effective Internal Controls\n\nStaff inconsistently review invoices\n\nNRC\xe2\x80\x99s invoice review process lacks effective internal controls. This is readily apparent in\nhow the staff inconsistently review invoices. For example, one staff member in the Office\nof Administration indicated that it was up to the individual Task Order Managers to\ndevise a process to verify that money and hours charged are reasonable and that the\nwork was performed as claimed.\n\nNonetheless, some aspects of this process are described in Management Directive 11.1,\nNRC Acquisition of Supplies and Services. For example, the management directive\nrequires the use of NRC Form 292, \xe2\x80\x9cVoucher Transmittal for Review and Approval Prior\nto Payment,\xe2\x80\x9d to be used as part of the invoice review and approval process. This form\nrequires the Task Order Manager/Contracting Officer\xe2\x80\x99s Representative to determine that\nlabor hours, travel, and other direct costs are \xe2\x80\x9creasonable and commensurate for the\ntype and nature of work completed during the billing period.\xe2\x80\x9d\n\nAccording to one Office of Information Services staff member directly involved in invoice\nreview and approvals, the staff member was directed to remove Form 292 from the\ninvoice review process because a key stakeholder in the Division of Contracts believed it\nunnecessarily "cluttered up" the process. In contrast, a different staff member\n\n                                             4\n\x0c                                               Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\nresponsible for reviewing contract task orders stated that the Form 292 is used as a key\npart of that office\xe2\x80\x99s review process. The staff member then produced a copy of the form\nthat had been completed during the review and approval of a current contract invoice.\n\nThe staff member in the Office of Information Services who was instructed not to use\nForm 292 stated that their office was also instructed by staff in the Office of\nAdministration, Division of Contracts, not to use MD 11.1 because it was "obsolete.\xe2\x80\x9d\nThis same Office of Information Services staff member emphasized that, as a result,\nthere is no up-to-date guidance for invoice review beyond what is currently in use.\n\nInvoice information cannot be adequately verified\n\nAlthough NRC staff purport to review contractor invoices for \xe2\x80\x9creasonableness\xe2\x80\x9d per NRC\nguidance, the staff\xe2\x80\x99s invoice review and approval practices do not include the steps\nnecessary to verify that the number of contractor labor hours billed are accurate and\nallowable. Specifically, source documentation, such as applicable timekeeping records\nor contractor time sheets, are not requested to verify the contractor labor hours invoiced.\nWhen OIG asked a Task Order Manager about the verification process for contractor\ninvoices, the Task Order Manager indicated that it was that individual\xe2\x80\x99s responsibility to\nperform a detailed review of invoices, monthly status reports, and the number of hours\nreported by the contractor. However, the staff member also noted that they did not\nrequest or review timesheets to verify labor hours billed.\n\nAgency Guidance Is Outdated and Not Specific\n\nManagement Directive 11.1, last revised in 2006,5 is the primary guidance document\nconcerning the administration of NRC contracts that total approximately $144 million in\nexpenditures for fiscal year 2012.6 Yet, this guidance is outdated and does not provide\nstaff with criteria that sufficiently addresses how to verify information contained in the\ninvoices that are reviewed and approved. Overall, the guidance sets a standard that\ndoes not meet existing Federal and industry internal controls and best practices\nstandards.\n\n\n\n\n5\n  Discussions with NRC staff disclosed that MD 11.1 is currently under revision and is to be finalized by\nMay 2014.\n6\n  This estimate is current as of August 7, 2012.\n                                                     5\n\x0c                                       Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\nGuidance is out of date\n\nAgency staff noted that the staff titles appearing in Management Directive 11.1, as well\nas its appendices, are out of date. For example, titles such as Project Officer and\nContracting Officer are included, whereas Contracting Officer\xe2\x80\x99s Representative is not\nincluded at all, despite current Federal regulation endorsing the consistent use of the\nterm.\n\nMoreover, the Invoice Workflow chart included with Management Directive 11.1 \xe2\x80\x94 which\ndepicts the invoice review process \xe2\x80\x94 is out of date and no longer representative of the\ncurrent process. For example, the Invoice Workflow chart indicates that contractor\ninvoices are primarily reviewed and approved by the Project Officer, Contract Specialist,\nand Office of the Chief Financial Officer. However, OIG\xe2\x80\x99s discussions with agency staff\ndisclosed that contractor invoices are currently being reviewed and approved by the\nContracting Officer\xe2\x80\x99s Representative, the Task Order Manager from the program office\nthat requested the work, and the Contract Specialist from the Office of Administration.\nInvoices and approvals are then forwarded to the Office of the Chief Financial Officer\xe2\x80\x99s\npayment services provider \xe2\x80\x94 the Department of the Interior, National Business Center\n\xe2\x80\x94 for review to ensure all approvals have been submitted, accounting data is complete,\nand for payment processing.\n\nGuidance is not specific\n\nManagement Directive 11.1 does not provide staff with guidance that sufficiently\naddresses the process for reviewing and approving invoices. For example, no specific\ninformation is provided as to what information and/or supporting source documentation\nshould be reviewed during the invoice review process. In fact, the Management\nDirective only generally states that the Project Officer [i.e., the Contracting Officer\xe2\x80\x99s\nRepresentative] should review each of the invoices or vouchers submitted by the\ncontractor to determine whether payment should be made, suspended, or disallowed.\nManagement Directive 11.1 also states that the Contract Specialist should review an\ninvoice to ascertain whether the contractor has expended a greater percentage of the\ncontract\'s funds than can be justified by the contractor\'s technical progress or if the\ncontractor\'s billing exceeds money obligated under the contract. The management\ndirective does not provide details beyond these vague instructions regarding how staff\nshould review invoices to ensure a consistent, coherent review process, particularly for\nthe multi-office coordination issues involved in overseeing a blanket contract. As one\nstaff member opined during a discussion with OIG, \xe2\x80\x9c\xe2\x80\xa6there are not sufficient controls in\n\n\n                                            6\n\x0c                                            Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\nplace. Management Directive 11.1 was not designed to address the management of\nblanket contracts.\xe2\x80\x9d\n\nIn addition, the contract itself does not provide any specific guidance in the form of terms\nand conditions that enables the review of specific charges for each task order on the\ninvoices submitted by the contractor. Task orders are not specific to individual projects,\nbut include a list of all allowable activities under the scope of work. Staff explained to\nOIG that work related to a new reactor construction database,7 for example, could be\ncharged under multiple task orders depending on the type of work performed. OIG\nquestioned whether it was possible for staff to account for specific costs if multiple task\norders were being used inconsistently. Staff confirmed that this was currently not\npossible.\n\nWaste, Fraud, and Abuse Risks\n\nThe lack of specific and up-to-date agencywide guidance for the administration of\ncontracts leaves the agency vulnerable to undue risk of waste, fraud, and/or abuse.\nSpecifically, without such guidance, NRC does not have adequate assurance that\namounts billed on contractor invoices are being consistently and appropriately reviewed\nto ensure that invoiced costs are allowable, allocable, and reasonable. While OIG did\nnot find any conclusive evidence of waste, fraud, or abuse, auditors did note some\nirregularities with regard to the contract invoices. OIG auditors reviewed 83 invoices\nvalued at approximately $6.8 million from the inception of the contract in November 2009\nto May 2012 and identified the following:\n\n       \xef\x82\xa7   12 percent of invoices had hours documented that were outside of the invoice\n           billing period or could not otherwise be verified.\n       \xef\x82\xa7   25 percent of invoices included labor categories that did not appear to match\n           designated contractor roles or could not be otherwise verified.\n       \xef\x82\xa7   18 percent of invoices did not have a status report period that matched the\n           billing period.\n       \xef\x82\xa7   8 percent of invoices did not match job roles listed in the task order or could\n           not otherwise be verified.\n\n\n\n\n7\n The database is called the Construction Inspection Program Information Management System. For more\ndetails, see OIG-12-A-16, Audit of NRC\xe2\x80\x99s Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC)\nProcess, July 12, 2012.\n                                                  7\n\x0c                                       Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\nWithout specific guidance and the implementation of strong internal controls, there is an\nincreased risk that potential waste, fraud, or abuse could occur and not be detected prior\nto invoice approval and payment.\n\nAGENCY COMMENTS\n\nOn August 23, 2012, OIG issued the discussion draft of this report to the Executive\nDirector for Operations. OIG met with NRC management officials and staff at an August\n30, 2012, exit conference, at which time the agency provided informal comments to the\ndraft report. The informal comments were incorporated into the draft report as\nappropriate. NRC management and staff reviewed the revised draft report and agreed\nwith the findings and recommendations. The agency opted not to provide formal\ncomments for inclusion in this final report.\n\nRECOMMENDATIONS\n\nOIG recommends that the Executive Director for Operations:\n\n      1. Update Management Directive 11.1 to reflect current contract administration-\n      related terminology, including current process flow charts illustrating specific\n      contractor invoice review procedures.\n\n      2. Expedite publication of interim guidance that clarifies and updates current\n      contract administration-related terminology and processes for invoice review.\n\n      3. Develop and implement an agencywide standard to guide the invoice review\n      and approval process with a requirement to routinely evaluate source\n      documentation, including but not limited to labor hour time sheets and contractor\n      certified payroll records, as appropriate for the contract type and nature of\n      services provided.\n\n      4. Using the new agencywide standard, certify the accuracy of invoices received\n      from and payments made to the contractor since the inception of Contract # NRC-\n      DR-33-10-303 through its closeout.\n\n\n\n\n                                            8\n\x0c                                       Audit of NRC\xe2\x80\x99s Contract Administration of the EPM Contract\n\n\nSCOPE AND METHODOLOGY\n\nThe scope of the audit was limited to reviewing contract administration practices for\nNRC\xe2\x80\x99s contract # NRC-DR-33-10-303 from inception of the contract to August 1, 2012.\n\nThe audit included interviews with agency staff from the Office of Administration, Office\nof Information Systems, Office of New Reactors, and the Office of the Chief Financial\nOfficer. OIG also reviewed Federal and agency guidance that outlined the processes\nand procedures pertaining to the utilization and oversight of projects using EPM\ntechnologies. Guidance for contract administration and internal controls best practices\nwere also reviewed. Auditors obtained and examined contract documents and records\nthat delineate work pertaining to the EPM technologies, system applications, and\nprojects. OIG reviewed 83 contractor invoices and any documentation supporting\ninternal control review of costs for systems and projects developed or maintained under\nthe contract.\n\nOIG conducted this performance audit at NRC headquarters in Rockville, MD, between\nApril 2012 and August 2012. Internal controls related to the audit objective were\nreviewed and analyzed. Throughout the audit, auditors were aware of the possibility or\nexistence of fraud, waste, or misuse in the program in accordance with generally\naccepted Government auditing standards.\n\nWe conducted this performance audit in accordance with generally accepted\nGovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\nThe audit work was conducted by R. K. Wild, Team Leader; Jacki Storch, Audit\nManager; Larry J. Weglicki, Senior Auditor; Timothy Wilson, Senior Management\nAnalyst; and Dana Furstenau, Student Analyst.\n\n\n\n\n                                            9\n\x0c'